RE: LSADump2 Crashing Systems
From: Ghetti, Tim (tghetti_at_air-worldwide.com)
Date: 09/09/05
- Previous message: Mike Jones: "nmap showing port 21 (ftp) open, but port is actually closed"
- Maybe in reply to: oh face: "LSADump2 Crashing Systems"
- Next in thread: RCS: "Re: LSADump2 Crashing Systems"
- Reply: RCS: "Re: LSADump2 Crashing Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 9 Sep 2005 16:17:25 -0400 To: "oh face" <0h.fac3@gmail.com>, <pen-test@securityfocus.com>, <focus-ms@securityfocus.com>
I had this experience with a 2003 server domain controller fully
patched. It killed the lsass process and force rebooted. At the time I
was investigating an unrelated issue and thought that the reboot was due
to the other issue. I never investigated this issue, as it was highly
unlikely that anyone use the LSADump other than me.
> -----Original Message-----
> From: oh face [mailto:0h.fac3@gmail.com]
> Sent: Friday, September 02, 2005 5:31 PM
> To: pen-test@securityfocus.com; focus-ms@securityfocus.com
> Subject: LSADump2 Crashing Systems
>
> In my recent pen-test experience, LSADump2 has been crashing
> Windows boxes. I was able to verify this on fully patched
> Windows XP and 2003.
> In further examination, LSADump2, when executed, killed the "lsass"
> process, and with the "winlogon" process still running, the
> system was forced to reboot. As far as I know, LSADump2 is
> utilizing a DLL injection technique to dump the contents of
> LSA secrets.
>
> Question:
> 1. Has anyone had this experience? If so, is there a safe
> method to execute this tool?
> 2. When I tested LSADump2 on various Windows boxes, not all
> fully patched boxes were affected by this issue. What
> configuration of Windows is exactly causing "lsass" to fail?
>
> Cheers.
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
- Previous message: Mike Jones: "nmap showing port 21 (ftp) open, but port is actually closed"
- Maybe in reply to: oh face: "LSADump2 Crashing Systems"
- Next in thread: RCS: "Re: LSADump2 Crashing Systems"
- Reply: RCS: "Re: LSADump2 Crashing Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
